Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update-VIPUsers-Watchlist-from-AzureAD-Group cannot retrieve the full user list #11394

Open
pixel559 opened this issue Nov 7, 2024 · 9 comments
Open

Update-VIPUsers-Watchlist-from-AzureAD-Group cannot retrieve the full user list #11394

pixel559 opened this issue Nov 7, 2024 · 9 comments
Assignees
@v-rusraut @v-sudkharat @v-shukore @v-visodadasi
Labels
Playbook Playbook specialty review needed

Comments

@pixel559
Copy link

pixel559 commented Nov 7, 2024

This refers to the playbook that can be found below:
https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Update-VIPUsers-Watchlist-from-AzureAD-Group
https://techcommunity.microsoft.com/blog/microsoftsentinelblog/update-microsoft-sentinel-vip-users-watchlist-from-azure-ad-group-using-playbook/3100184

This playbook is not working correctly for the Entra ID group with more than 100 users.
The VIP users list is not being updated correctly. The VIP group has over 300 members and on the logic app step for 'HTTP - Get VIP Azure AD Group Members' only 100 users is returned.

It looks like the API is returning only 100 results due to paging.
https://learn.microsoft.com/en-us/graph/paging?tabs=http
There is a '@odata.nextLink' in the result of the initial call and the API call needs to keep on being repeated as long as nextlink is available to retrieve all users from the group.

Please update the template to overcome the paging problem that leads to incomplete VIP User List.
@v-rusraut v-rusraut added the Playbook Playbook specialty review needed label Nov 8, 2024
@v-rusraut
Copy link
Contributor

Hi @pixel559 , Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks!

@v-shukore
Copy link
Contributor

Hi @pixel559, we are working on this issue will update on this soon. Thanks!!

@v-shukore
Copy link
Contributor

Hi @pixel559, could you please provide more information regarding this issue? Clarifying more details will help us to resolve it more effectively. Thanks!!

@v-shukore
Copy link
Contributor

Hi @pixel559, we are waiting for your valuable feedback. Please Provide update on the same. Thanks!!

@pixel559
Copy link
Author

Hi @v-shukore , could you please elaborate as to which details you need?
The playbook does not retrieve all the group members if there are more than 100 users. This is how the API works and there is a link to documentation in original description.

"HTTP_-Get_VIP_Azure_AD_Group_Members": {
"runAfter": {
"HTTP-_Get_Group_details": [
"Succeeded"
]
},
"type": "Http",
"inputs": {
"authentication": {
"audience": "https://graph.microsoft.com/",
"type": "ManagedServiceIdentity"
},
"method": "GET",
"uri": "https://graph.microsoft.com/v1.0/groups/@{variables('VIP Group ID')}/members"
}
}
This step, would only retrieve 100 results due to paging, therefore the watchlist would not be complete (if there are more than 100 members in the group).
In order to get the complete results, the step needs to keep on repeating as long as response returns '@odata.nextLink' with the link for the next batch of users that members of the group.

This and later steps need to be updated for the logic app to work correctly.

Please note, this request is open for over 2 month now, and only at this point the additional information is requested.

@v-shukore
Copy link
Contributor

Hi @pixel559,
Thanks for your response.
We will investigate this issue and get back to you ASAP. Thanks!!

@pixel559
Copy link
Author

Hello @v-shukore ,
Are there any updates?

@v-shukore
Copy link
Contributor

Hi @pixel559,
Thanks for your response,
As discussed with concern team, we found that the default result limit in the playbook is set to 100, which is why you are only receiving 100 users as a result. If you need to retrieve more than 100 users, you will need to update the query parameter ?$top=(number), with a maximum limit of 999 based on the API. For further understanding, please refer to the documentation below.
https://learn.microsoft.com/en-us/graph/api/group-list-members?view=graph-rest-1.0&tabs=http#optional-query-parameters

@pixel559
Copy link
Author

Hello @v-shukore ,
I do not think you understand the request.
Request is to UPDATE playbook to retrieve all group members.
Also, the playbook does not limit the number of group members returned. Please point to explicit line in the playbook which limits the result to 100. (and yes, I understand that the 100 is default number of group members returned, as well as @odata.nextLink should be returned)
The request is to UPDATE the playbook, so it is agnostic to number of members in the group. So the list would return whatever is the number of the group members.
Checking the count of the number of users in the group breaks the idea of automatic updates of the watchlist. And this is centered with the default limit and paging

Please update the automation template supplied by microsoft to retrieve the full list of group members regardless of the count of group members.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@v-rusraut v-rusraut

@v-sudkharat v-sudkharat

@v-shukore v-shukore

@v-visodadasi v-visodadasi

Labels
Playbook Playbook specialty review needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@pixel559 @v-rusraut @v-sudkharat @v-shukore @v-visodadasi